Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
07-27-2017 01:19 PM
The PA showed one of the pc's on my network was the source of brute force attack to the Netherlands so I blocked it. Anyone have any ideas what needs to be done to remediate the issues on the PC?
07-27-2017 01:41 PM
It was likely compromised and being used as a part of a botnet. Depending on who owns the computer I would either wipe and reimage the machine or if it's a personal machine only allow it back onto the network once a full system scan (virus,malware,spyware) has been run.
07-27-2017 01:51 PM
It must be being used as a relay not sure but it looks like the pc inside our network is trying to brute force something in the netherlands. I was more expecting the attack to be coming in and not going out. I will have the helpdesk check for malware, virus scan and the typical checks and wipe it if it can't be cleaned
07-27-2017 01:53 PM
Have you looked at the traffic logs and verified the alert generated correctly? I've had the brute force alerts get screwed up before and once I actually looked at the traffic found out that the source and destination was mixed around. Possibly happened here to?
07-27-2017 01:59 PM
So I you are thinking that the pc was probably being bruted forced and it was reading it wrong? Again how do I find out and how do I fix it and I am also thinking the attack was real but possbile the direction was wrong
07-27-2017 02:08 PM
Take the other IP address that your PC was recorded as attacking, I'm just going to call it 1.1.1.1 and your internal machine 10.0.0.0
Within the traffic log you can query '( addr in 1.1.1.1 ) and ( addr in 10.0.0.0 )' and that will show you what direction that traffic was actually going.
07-28-2017 05:43 AM
Oh you mean in the traffic logs, that is what was telling me that my internal PC (source)is attacking some device or devices in the netherlands ((40.113.123.212)(destination))
07-28-2017 05:48 AM
That's a pretty sure sign then that it was your machine that was actually sending the traffic to the netherlands, which likely means that your tech support guys will find something when they run scans against it. Sometimes the threat logs will show the attacker as your internal machines and seems to get the attacker switched around.
07-28-2017 08:12 AM
Yeah it will be interesting to know what is on it to be attacking the netherlands LOL and would be interested to know how it got there but I am not sure they will spend anytime on that
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
